A few days ago Vupen released a video purportedly claiming that they finally pwn3d Google Chrome; followed by the ensuing back-and-forth between Vupen and Google engineers on twitter.
Vupen refuses to share their findings to Google, but have instead shared it with their customers.
At this point, Google has only stated that the attack vector appears to involve flash; which, if it's true would mean that it's not Chrome that got pwn3d but the Flash plugin yet again.
I don't know what credibility Vupen has left as a company in the eyes of the information security industry.
They're actions are no different from patent trolls or the many script kiddies who troll around the web showing their half-baked warez.
I don't know how it benefits their customers to point out that a software has a security hole if they don't let the developer know what the hole is.
I hope that their customers see the error of Vupen's ways and stop using their services so they can be forced to close shop and make way for other legitimate security vendors.
If Vupen is successful in extorting money from Google, I have a feeling that we might see a breed of trolling which I will call "pwn trolling".
These will be purported security organizations who will find software bugs that they can exploit and ask money from the developers or be left alone to figure out what the hole is.
As the Vupen-v-Google Chrome incident has shows, the issue is not whether Vupen found something legit, the publicity is enough to cause a company to have to spend resources in having to figure out whether there is a real hole and then having to turn around to dispel the bad publicity.
Cross-posted from Home+Power